[NEWS] KeyManager Issue in ISS RealSecure on Nokia Appliances

From: support@securiteam.com
Date: 03/22/02 

From: support@securiteam.com
To: list@securiteam.com
Date: Fri, 22 Mar 2002 11:32:35 +0100 (CET)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  KeyManager Issue in ISS RealSecure on Nokia Appliances
------------------------------------------------------------------------

SUMMARY

This advisory documents an issue when using RealSecure NIDS on Nokia
appliances. It seems that during development, a test system named
"starscream" and test user "skank" was used as it was left behind in the
IPSO image in the ISS.ACCESS file as a KeyManager.

There is the potential that this information, depending on the
configuration of the NIDS, can be used to push new pubkey files to the
sensor, reconfigure or take control of the NIDS daemon and daemon
components.

DETAILS

Vulnerable systems:
RealSecure version 6.0

Immune systems:
RealSecure version 6.5

When you install RealSecure on any platform a file named ISS.ACCESS is
created and used for various configuration settings including the
following lines;

--ISS Access 6.0--
[\];
[\Roles];
[\Roles\KeyAdministrator\];
[\Roles\KeyAdministrator\machinename_username\];
[\Roles\KeyAdministrato\starscream_skank\];
[\Roles\MasterStatusManager\];

The Roles\KeyAdministrator line is used to determine the machine name and
username of what ISS calls the KeyAdministrator. This user has the ability
to manage the keys used when communicating with the daemon.

This line is added during installation but the second line,
\startscream_skank is present in the IPSO as a "default". This does not
exist on any other platform or in the HIDS RealSecure product.

The vulnerability lies in the fact that as a KeyAdministrator, you
essentially can control the functions of the daemon including what events
it monitors for and how it alerts. It is important to understand that
this is only possible if RealSecure is configured to rely on the console
system to push the necessary public keys to it, which is the default
method of installation.

If the Nokia Voyager web applet is used to install this IPSO you do not
have the option to turn on authentication. Authentication in this case
means that the administrator must, via sneakernet or other secure channels
manually copy the necessary keys to the sensor.

Mitigating Factors:
The RealSecure NIDS sensor listens on two TCP ports, TCP-2998 is used to
control the daemon while TCP-901 is used to monitor events. Obviously,
you do not want to allow these ports to pass through your firewall. In an
ideal situation, the NIDS sensor should have a shadow interface enabled to
monitor and only communicate back to the console via a private management
network that is not accessible by any other devices.

It is also a good idea to not allow the NIDS sensor to accept new public
keys directly from a console but only when copied manually to the system.

Vendor Response:
Thanks to Ring Zero for taking this one to the vendor for me. Here is a
portion of the email received back from ISS.

---------- Forwarded message ----------
Date: Wed, 20 Mar 2002 12:22:05 -0500
From: "Lamb, Kris (ISS Atlanta)" <KLamb@iss.net>
To: 'Ring Zero' <ringzero@www.nmrc.org>
Subject: RE: Anomaly in RealSecure

<SNIP>

As far as the starscream_skank, that was a QA box from the product
development team that was accidentally left in the iss.access when IPSO
shipped. We have already addressed this with Support and all customers
have been notified to remove that entry. It was removed in IPSO 6.5.

<SNIP>

-----------------------------------------

Solution/Workaround:
If you are running RealSecure version 6.0 and below you need to simply
stop the NIDS daemon and edit the ISS.ACCESS file and remove the following
line:

[\Roles\KeyAdministrato\starscream_skank\];

If you installed the IPSO manually and turned on authentication you are
unaffected but should probably remove the line anyways.

ADDITIONAL INFORMATION

The information has been provided by <mailto:hellnbak@nmrc.org> hellNbak.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages